eXpress App Framework Team

This Blog

Applying Security to State Machine module

In this blog entry will discuss how to restrict transition to certain states for specific system roles. Do not be put off by the title, by the end of the post you will surely agree that this is not as complicated as it sounds!

In the following example, control over transition to the Completed state is to be restricted to administrators. To make this happen we need to create a custom function criteria operator that will enumerate all user roles and check their name against this function’s argument. This is demonstrated below,

public class IsAllowedToRoleOperator : ICustomFunctionOperator {

    public const string OperatorName = "IsAllowedToRole";

    #region ICustomFunctionOperator Members

    public object Evaluate(params object[] operands) {

        if (!(operands != null && operands.Length == 1 && operands[0] is string)) {

            throw new ArgumentException("IsAllowedToRole operator should have one paraneter - string roleName.");


        var roleName = (string)operands[0];

        bool result = false;

        var userWithRoles = SecuritySystem.CurrentUser as IUserWithRoles;

        if (userWithRoles != null) {

            foreach (IRole role in userWithRoles.Roles) {

                if (role.Name == roleName) {

                    result = true;





        return result;



    public string Name {

        get { return OperatorName; }



    public Type ResultType(params Type[] operands) {

        return typeof(bool);





After implementing the operator we still need to register it, for example in a custom module.

public override void CustomizeTypesInfo(DevExpress.ExpressApp.DC.ITypesInfo typesInfo) {


    if (CriteriaOperator.GetCustomFunction(IsAllowedToRoleOperator.OperatorName) == null) {

        CriteriaOperator.RegisterCustomFunction(new IsAllowedToRoleOperator());




Note: In future versions these custom operators will be registered to the core. Thus they will appear in all relevant UIs - this sure sounds like the DX way!

The next step is to set the TargetObjectCriteria of the Completed state to,


When a non administrator tries to perform the transition as shown,


then a validation exception will be raised,


Using this approach the state machine designer is capable at runtime of restricting transition to certain states. Moreover applying different types of Security schemas is as easy as providing different versions of our custom function criteria operator.

We would appreciate your feedback on this post. Has it been useful to you? Feel free to contact us with any further questions

Related Links
Online documentation
Blog posts

Published Jul 22 2011, 09:09 AM by
Bookmark and Share


christy pirumova

Tolis, i've searched the documentation for the IsAllowedToRole operator after your webinar about state machine module :)

you have mentioned it there and i've got an impression that it's a built in one

i liked the idea of such operator and am glad you have posted its definition here


July 22, 2011 2:51 PM

Defacto Software

Very good Tolis, thank you. Would it also be possible to not even show the state transition to Completed if the user has no rights?

July 23, 2011 5:00 AM

Apostolis Bekiaris (DevExpress)

Thanks for your comments!.

@M. Brekhof Of course it is, I already included the solution in my next post. Stay tuned!

July 26, 2011 9:38 AM


is this still current for State Machine? It would seem practical to have a level of abstraction whereas we throw a userfriendly error message as this kind of message is not acceptable in a real-life app..

April 13, 2013 10:52 PM

Łukasz Polak

i agree with @drew... could you do something with it?

June 18, 2013 9:10 AM

Łukasz Polak

in current version (13.1) is primitive exception message

June 18, 2013 9:14 AM


please provide a sample project  to get the above result

July 14, 2014 2:05 AM

Apostolis Bekiaris (DevExpress)

A ready to use StateMachine module is inlcuded in our community project in the Xpand.ExpressApp.StateMachine.dll.

related posts

July 14, 2014 2:25 AM

Dennis (DevExpress Support)

You can use the built-in IsCurrentUserInRole criteria function ( in the latest XAF versions.

February 4, 2015 9:30 AM

Chat is one of the many ways you can contact members of the DevExpress Team.
We are available Monday-Friday between 7:30am and 4:30pm Pacific Time.

If you need additional product information, write to us at or call us at +1 (818) 844-3383


DevExpress engineers feature-complete Presentation Controls, IDE Productivity Tools, Business Application Frameworks, and Reporting Systems for Visual Studio, Delphi, HTML5 or iOS & Android development. Whether using WPF, ASP.NET, WinForms, HTML5 or Windows 10, DevExpress tools help you build and deliver your best in the shortest time possible.

Copyright © 1998-2018 Developer Express Inc.
All trademarks or registered trademarks are property of their respective owners